System and method for collecting forensic data via a mobile device

ABSTRACT

Embodiments of search systems that leverage the search or access activities of a core group of users to improve search functionality and performance of such search systems are disclosed. Specifically, embodiments may utilize users&#39; search activity to generate clusters of users and associated labels for those clusters. These clusters can be leveraged during a search to generate suggestions for a user conducting the search.

CROSS-REFERENCE TO RELATED APPLICATION(S)

This application is a continuation of, and claims a benefit of priorityunder 35 U.S.C. 120 of the filing date of U.S. patent application Ser.No. 14/192,846, filed Feb. 27, 2014 entitled “SYSTEM AND METHOD FORCOLLECTING FORENSIC DATA VIA A MOBILE DEVICE,” which claims a benefit ofpriority under 35 U.S.C. § 119 to U.S. Provisional Application No.61/771,047, filed Feb. 28, 2013, entitled “SYSTEM AND METHOD FORCOLLECTING FORENSIC DATA VIA A MOBILE DEVICE,” by inventor ShawnMcCreight which is hereby incorporated herein for all purposes.

COPYRIGHT NOTICE

A portion of the disclosure of this patent document contains material towhich a claim for copyright is made. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor the patent disclosure as it appears in the Patent and TrademarkOffice patent file or records, but reserves all other copyright rightswhatsoever.

TECHNICAL FIELD

This invention relates generally to forensic data collection, and moreparticularly, to quickly collecting forensic data in the field via amobile device.

BACKGROUND

It is often desirable to collect forensic data quickly in the fieldwithout having to invoke specialized computer equipment or having to bean expert in computer forensics. Specifically, it is often desirable tocollect forensic data with equipment that field officers often have athand, such as mobile phones, tablets, or the like. Once collected viasuch standard devices, the collected data can be taken to a forensicprofessional for full analysis as required.

The gathering of forensic data for criminal investigations oftenrequires a search warrant. A law enforcement official typicallygenerates the search warrant identifying the object and/or location ofthe search. The law enforcement official takes the search warrant to ajudge for approval and presents the approved search warrant to anindividual being investigated prior to conducting the search. If duringthe investigation the law enforcement official determines that otherdocuments or areas need to be investigated which are beyond the scope ofthe current warrant, the law enforcement officer returns to his/herheadquarters to obtain a new warrant. However, by the time that the newwarrant is approved and the law enforcement officer returns to the fieldto resume the search, the material to be investigated may havedisappeared.

Accordingly, what is desired is a system and method for efficientlycreating, reviewing, approving and transmitting search warrants to theinvestigating officers to allow efficient and quick collection offorensic data.

Accordingly, what is desired are systems and methods for improving thefunctionality of searching in DAM or other types of systems to, forexample, improve computing performance of such systems, reduce theburden of implementing such searches and improve the results of suchsearches.

SUMMARY

Embodiments of the present invention are directed to a server and methodfor conducting forensic investigations by investigators on aninvestigations field. The server includes a processor, and a memory thatstores program instructions for being executed by the processor. Suchprogram instructions include: receiving a digital search warrantincluding one or more search parameters for conducting a forensicinvestigation; notifying a mobile device of the digital search warrant;receiving a user command to download the digital search warrant inresponse to the notifying; and downloading the digital search warrant tothe mobile device in response to the received user command. According toone embodiment, the digital search warrant is configured to beelectronically parsed by the mobile device for automatically identifyingand collecting data from a target device in the investigations fieldduring a forensic investigation. The automatically identifying andcollecting of the data from the target device is done without modifyinga state of the target device.

According to one embodiment of the invention, the one or more searchparameters include one or more search terms, and/or one or more filetypes.

According to one embodiment of the invention, the mobile device is acellular phone.

According to one embodiment of the invention, the collected data isstored in a memory of the mobile device.

According to one embodiment of the invention, the digital search warrantis downloaded to the mobile device from a website.

According to one embodiment of the invention, the mobile device isconfigured to be coupled to the target device over a universal serialbus port. The data from the target device is collected over theuniversal serial bus port.

According to another embodiment, the method for conducting forensicinvestigations by investigators on an investigations field includesdownloading a digital search warrant to a mobile device, the digitalsearch warrant including one or more search parameters; coupling themobile device to a target device in the investigations field; parsingthe digital search warrant by the mobile device; and automaticallyidentifying and collecting by the mobile device data from the targetdevice based on the parsed digital search warrant during a forensicinvestigation. The automatically identifying and collecting of the datais done without modifying a state of the target device.

According to one embodiment of the invention, the mobile device storesan operating system. The operating system is configured to be invoked bythe target device during a reboot of the target device. According to oneembodiment, the operating system automatically invokes instructions forconducting the forensic investigation of the target device. Theinstructions are stored in a memory of the mobile device. Theinstructions may include parsing the digital search warrant, andidentifying and collecting the data from the target device. Theinstructions may also include blocking write commands directed to thetarget device.

These and other features, aspects and advantages of the presentinvention will be more fully understood when considered with respect tothe following detailed description, appended claims, and accompanyingdrawings. Of course, the actual scope of the invention is defined by theappended claims.

BRIEF DESCRIPTION OF THE DRAWINGS

The drawings accompanying and forming part of this specification areincluded to depict certain aspects of the invention. A clearerimpression of the invention, and of the components and operation ofsystems provided with the invention, will become more readily apparentby referring to the exemplary, and therefore non-limiting, embodimentsillustrated in the drawings, wherein identical reference numeralsdesignate the same components. Note that the features illustrated in thedrawings are not necessarily drawn to scale.

FIG. 1 is a schematic block diagram of a system for conducting forensicinvestigations by investigators on an investigations field, according toone embodiment of the invention;

FIG. 2 is a flow diagram of a process for generating and uploading adigital search warrant according to one embodiment of the invention;

FIG. 3 is a flow diagram of a process for receiving a digital searchwarrant and downloading the search warrant to an appropriate enforcementofficer according to one embodiment of the invention;

FIG. 4 is a schematic block diagram of a mobile device acting as aholder of a search warrant and an evidence collector according to oneembodiment of the invention;

FIG. 5 is a schematic block diagram of a digital search warrant storedin a memory of the mobile device of FIG. 4 according to one exemplaryembodiment; and

FIG. 6 is a flow diagram of a process for conducting a forensicinvestigation of a target device according to one embodiment of theinvention.

DETAILED DESCRIPTION

In general terms, embodiments of the present invention are directed to asystem and method for conducting forensic investigations at aninvestigations field using a mobile device normally carried by lawenforcement officers, such as, for example, a cellular phone, smartphone, tablet, and/or the like. New or modified search warrants aredownloaded to the mobile device over a data communications network. Inthis manner, the law enforcement officer may receive the search warrantat any time and at any location, including while the law enforcementofficer is at the investigations field.

The search warrants are digital search warrants that may be processed byforensic investigations software. The digital search warrants describewhat the investigation software will do to conduct a search withoutrequiring human interpretation of the search parameters. In this regard,the forensic investigations software parses the digital search warrantand automatically identifies evidence in a target device that is withinthe scope of the search warrant. The identified evidence is collectedand stored in the memory of the mobile device, without modifying a stateof the target device.

Although embodiments of the present invention are described in terms ofsearch warrants which are court orders issued by a judge, a person ofskill in the art should recognize that embodiments of the presentinvention may also extend to non-legal documents that may describe thesearch parameters of a forensic investigation, such as, for example,documents used by military personnel to obtain data from a suspect'scomputer, documents used by parole officers to quickly gather evidencerelating to a parolee, and documents used by corporate securitydepartments to perform speedy audits.

FIG. 1 is a schematic block diagram of a system for conducting forensicinvestigations by investigators on an investigations field, according toone embodiment of the invention. The system includes a generatingcomputer device 10 located, for example, at a law enforcementheadquarters, which is configured to generate a digital search warrantin response to, for example, a request by a law enforcement officer.

The generating computer device 10 is coupled to a server 12 over a datacommunications network 14. The data communications network 14 may be alocal area network, private wide area network, or a public wide areanetwork like the Internet.

According to one embodiment of the invention, the server 12 includes asearch warrant hosting module 16 for receiving uploaded digital searchwarrants, transmitting those search warrants to the appropriateofficers, and the like. The search warrant hosting module provides awebsite that different users may access to take different actions withrespect to search warrants. For example, the generating computer device10 may access the website for uploading generated search warrants to thewebsite. The website may provide separate accounts for each useraccessing the website along with separate security measures and rightswith respect to the digital search warrants. For example, the websitemay provide separate accounts for different law enforcement officers,judges 18, attorneys 20, and the like. The website may provide to lawenforcement officers that generate search warrants, either via thegenerating computer device 10 or directly via the website, firstinteractive links for generating and/or uploading a digital searchwarrant. The website may provide to judges 18 second interactive linksto approve or reject an uploaded search warrant. The website may alsoprovide to attorneys representing clients to whom the search warrantspertain, third interactive links for objecting to an uploaded searchwarrant.

Law enforcement officers on an investigations field often carry mobiledevices 22 which may also be used to access the website 16. The mobiledevices 22 may be cellular phones, personal digital assistants (PDAs),electronic tablets, laptops, or any mobile computing device conventionalin the art. The mobile devices may be configured with a dedicated searchwarrant access module 28 for accessing the website/server anddownloading digital search warrants generated for the law enforcementofficers. According to this embodiment, the access module 28 may bedescribed as a dedicated application included on the mobile device thatallows interaction with the server 12 and/or website without invoking aweb browser. The website may also be accessed via a standard webbrowser. According to one embodiment, the website provides one or moreinteractive links accessible to users of the mobile devices 22 fordownloading digital search warrants to the mobile devices.

Each of the generating computer device 10, server 12, and mobile devices22 (collectively referenced as computing devices) includes a centralprocessing unit (CPU) for executing software instructions andinteracting with other system components for performing the functionsdescribed herein. The computing devices 10, 12, 22 further include amass storage device such as, for example, a hard disk drive or drivearray, for storing various applications and data used for implementingthe system. The computing devices further include an addressable memoryfor storing software instructions to be executed by the CPU. The memorymay be implemented using a standard memory device, such as, for example,a random access memory (RAM). According to one embodiment, the memorystores a number of software objects or modules used for implementing thevarious functionalities of the system. For example, the memory of thegenerating computer device 10 may store a search warrant generatingmodule 26 for generating search warrants. The memory of the server 12may store instructions for providing the website 16. The memory of themobile devices 22 may include the dedicated search warrant access moduleas well as other instructions for downloading search warrants andexecuting searches based on the search warrants. A person of skill inthe art should recognize, that all or a portion of the various modulesmay be implemented via firmware, hardware, or a combination of software,firmware, and/or hardware.

The computing devices 10, 12, 22 also include various input and outputunits conventional in the art such as, for example, keyboards, keypads,touch-screen units, display units, and the like. The computing devicesmay further include wired and/or wireless data communication links foraccessing the data communications network 14, such as, for example,direct wires, infrared data ports, wireless communications links, or anyother communications medium known in the art.

The mobile device 22 further includes a wired or wireless datacommunications link 42 for coupling to a target device 24. The datacommunications link may be, for example, a universal serial bus (USB)port or the like. The target device 24 may be any computing device thatmay be subject to a forensic investigation, such as, for example, adesktop, laptop, cellular phone, electronic tablet, or any othercomputing device conventional in the art. The target device 24 iscoupled to a mass storage device 30 which stores data that may becollected by the mobile device 22 in response to a search warrant. Thetarget device and the mass storage device are collectively referred toas the target device.

FIG. 2 is a flow diagram of a process for generating and uploading adigital search warrant according to one embodiment of the invention. Inact 100, a local or remote user of the generating computer device 10invokes the search warrant generating module 26 to input search warrantdetails. In this regard, the search warrant generating module 26 mayprompt the user to enter information such as the location, object,keywords, and file types to be searched. The search warrant generatingmodule 26 may also prompt the user to enter information on theenforcement officer for whom the search warrant is being generated,information on the user generating the search warrant, and/orinformation on the judge and attorneys involved. The search warrantgenerating module 26 receives the search warrant details from the uservia input devices provided by the generating computing device 10 (orremotely over a data communication network), and in act 102, outputs adigital search warrant based on the input details. According to oneembodiment of the invention, the digital search warrant ishuman-readable as well as machine-readable. As such, the digital searchwarrants may be generated using a markup language, such as, for example,XML. The search warrants may also be generated using another appropriatelanguage conventional in the art.

In act 104, the search warrant generating module 26 saves the generateddigital search warrant in a user identified folder or directory.

In act 106, the search warrant generating module 26 determines whetherthe user has selected an option to upload the generated search warrantto the server 12. If the answer is YES, the search warrant generatingmodule 26 identifies in act 108, based on user entered information, thesearch warrant to upload, and the officer that is to receive the searchwarrant

In act 110, the search warrant is uploaded to the website for theparticular enforcement officer over the data communications network 14.

FIG. 3 is a flow diagram of a process for receiving a digital searchwarrant and downloading the search warrant to the appropriateenforcement officer according to one embodiment of the invention.

In act 200, the search warrant hosting module 16 determines whether asearch warrant was received. According to one embodiment, the searchwarrant is uploaded by the generating computer device 10. The searchwarrant may also be generated by the website in response to informationdirectly input into the website by a user generating the search warrant.

If the search warrant is received, the search warrant hosting module 16takes the optional act of notifying the judge 18 and/or attorneys 20about the search warrant in act 202. The notification may be to prompt arecipient of the notification to take a particular action. For example,the notification to the judge may be transmitted to request approval ofthe search warrant. The notification to the attorneys may be transmittedto give them notice of the search warrant and give them opportunity toobject to the search. The judge and/or attorneys may access theiraccounts on the website to view or modify the text of the searchwarrant. According to one embodiment, the judge and/or attorneys mayhave a dedicated application installed in their end user devices toaccess the server 12 without invoking a web browser. According to oneembodiment, the access to the website may be via the web browser.

In act 204, the search warrant hosting module 16 determines whether ithas received user input (from the judge) indicating approval of thesearch warrant. If the search warrant is modified or not approved, thesearch warrant hosting module 16 marks the search warrant accordingly,and notifies, in act 206, the user who generated the search warrant ofthis fact for prompting the user to take appropriate action in response.The notification may include information as to why the search warrantwas not approved or a corrected version of the warrant to be used. Forexample, the notification may include information as to any search termsin the digital search warrant objected by the attorneys. Based on thisinformation, the process of FIG. 2 is re-executed to generate a modifiedsearch warrant and the modified search warrant is re-uploaded to thewebsite. In this manner, warrants may be modified and provided to thefield officers in real time.

According to one embodiment of the invention, the digital search warrantis a document generated using a computer language that allows parsing bya machine as well as to be output as text that may be read by a human.During the parsing, the digital search warrant may be segmented intodiscrete segments as is described in further detail in U.S. applicationSer. No. 14/024,369, filed on Sep. 11, 2013, the content of which isincorporated herein by reference.

If the search warrant is approved, the search warrant hosting module 16marks the search warrant accordingly, and proceeds to transmit anotification of this fact, in act 208, to the field officer that is toconduct the search. The notifications in acts 202, 206, and 208 may be,for example, emails, SMS messages, telephone messages, or any othervisual and/or audio notifications conventional in the art. Thenotifications may also be visual indications provided to users accessingthe website. For example, when the field officer accesses his account,he may be presented with a list of search warrants that have beenapproved and are waiting to be downloaded.

In act 210, the search warrant hosting module 16 determines whether theapproved search warrant is to be downloaded. For example, the fieldofficer may invoke the search warrant access module 28 on his mobiledevice 22 to access his account on the website. Once on the website, thefield officer may be presented with a list of approved search warrants,and further presented with an option to download the listed searchwarrants. By accessing the search warrants in this manner, the fieldofficer need not be present at the headquarters generating or modifyinga search warrant, in order for him to receive the search warrant.

In response to positive indication by the field officer that aparticular search warrant is to be downloaded, the search warrant isdownloaded to the field officer's mobile device via the datacommunications network 14. The downloaded search warrant is stored inthe memory of the mobile device 22.

FIG. 4 is a schematic block diagram of the mobile device 22 according toone embodiment of the invention. The mobile device 22 includes, amongother elements, a processor 38 coupled to a memory 36. The processor 38is configured to execute computer program instructions stored in thememory. Such computer program instructions include, among others,instructions for conducting forensic investigation 34 of the targetdevice 24 (hereinafter referred to as investigation software). In thisregard, the investigation software includes instructions forimplementing a stripped down version of an operating system, such as,for example, the Windows PE OS. The operating system in the mobiledevice is used to boot up the target device 24 instead of the targetdevice's operating system. The investigation software further includesinstructions to parse an electronic search warrant 32 also stored in thememory, for determining the scope of a search to be conducted on thetarget device 24 (e.g. what is to be searched, which keywords are to beused, what types of files are to be retrieved, etc.).

The search warrant access module 28 may also be stored in the memory.The search warrant access module 28 may be invoked for accessing theserver 12 and downloading search warrants from the server. In thismanner, the mobile device acts as the holder of the search warrant. Themobile device also acts as an evidence collector to collect forensicdata 40 within the scope of the search warrant. The collected forensicdata 40 is also stored in the memory of the mobile device.

FIG. 5 is a schematic block diagram of the digital search warrant 32stored in the memory of the mobile device 22 according to one exemplaryembodiment. The digital search warrant includes, for example, one ormore search terms 50, file types 52, and the like. These searchparameters are used by the forensic investigation software forretrieving data from the target device 24. The digital search warrant 32may also include one or more public encryption keys 54. These publickeys can be used to encrypt the data that is collected from the targetdevice so that it can only be viewed by parties in possession of thecorresponding private key.

FIG. 6 is a flow diagram of a process for conducting a forensicinvestigation of a target device according to one embodiment of theinvention. The process starts, and in act 300, the field officer couplesthe mobile device 22 to the target device 24 via the data communicationslink 42, and causes the rebooting of the target device. During therebooting process, the field officer changes the BIOS configuration ofthe target device to boot from a device connected to its USB port. Thetarget device thus boots up using the operating system stored in thememory of the mobile device 22 instead of the target's operating system.The operating system in the memory of the mobile device automaticallyruns the investigation software 34 also stored in the memory of themobile device 22.

The investigation software, in act 302, determines whether there is adigital search warrant to be executed. If the answer is NO, theinvestigation software proceeds, in act 304, to conduct investigation ofthe target based on commands from the field officer.

If, however, a search warrant exists, the investigation softwareproceeds to parse the search warrant in act 306 to identify the searchparameters to be used during the forensic investigation of the targetdevice.

In act 308, the investigation software proceeds to identify and collectdata from the target device based on the parsed parameters. For example,if the parsed search parameters indicate that files having a particularfile extension are to be collected, the investigation softwareidentifies and collects files having the particular file extension.Also, if the parsed search parameters indicate that documents havingparticular keywords are to be collected, the investigation softwareidentifies and collects files having the particular keywords. In thisregard, the investigation software is configured to control the writeblocking of the target device to retain forensic integrity during theinvestigation process. According to one embodiment, the investigationsoftware is configured to block write commands directed to the targetdevice that would change a state of the target device 24 or itsassociated mass storage device 30. Such commands may include, forexample, commands that would modify device metadata, filesystemmetadata, other types of data, and the like. Any write blockertechnology conventional in the art may be used. By filtering out thewrite commands, the investigation software may collect data from thetarget device without making any change to the target device 24 or itsassociated mass storage device 30.

In act 310, the investigation software stores the collected data in thememory of the mobile device in a user specified folder or directory. Thecollected data may then be taken back to the headquarters to bedownloaded onto the device of an expert in computer forensics. Theexpert may run a full analysis of the collected data, run reports, andthe like.

The processes of FIGS. 2, 3, and 6 may be described in terms of asoftware routine executed by the corresponding CPU based on instructionsstored in memory. The instructions may also be stored in any othernon-transitory computer readable media such as, for example, a CD-ROM,flash drive, or the like. A person of skill in the art should recognize,however, that the processes may be executed via hardware, firmware (e.g.via an ASIC), or in any combination of software, firmware, and/orhardware. Furthermore, the sequence of acts of the processes are notfixed, but can be altered into any desired sequence as recognized by aperson of skill in the art.

It is the applicant's intention to cover by claims all such uses of theinvention and those changes and modifications which could be made to theembodiments of the invention herein chosen for the purpose of disclosurewithout departing from the spirit and scope of the invention. Thus, thepresent embodiments of the invention should be considered in allrespects as illustrative and not restrictive, the scope of the inventionto be indicated by the appended claims and their equivalents rather thanthe foregoing description.

1.-23. (canceled)
 24. A method for conducting forensic investigations ofa target computing device, the method comprising: receiving a digitalsearch warrant at a forensic investigation application executing on amobile device, the digital search warrant including a search parameterfor conducting a forensic investigation of a target device; booting, bythe forensic investigation application at the mobile device, the targetdevice over a data communication link between the mobile device and thetarget device using an operating system stored in a memory at the mobiledevice such that the target device is executing the operating system onthe target device from a memory address in the memory of the mobiledevice over the data communication link, and the operating systemexecuting from the memory address of the memory of the mobile device onthe target device executes the forensic investigation application at themobile device to search the target device without user involvement;parsing, by the forensic investigation application executing at themobile device, the digital search warrant to identify the searchparameter to use on the target device, the search parameter of thedigital search warrant including a keyword or a file extensionidentifying a type of file; searching, by the forensic investigationapplication at the mobile device, files at the target device over thedata communications link between the mobile device and the target deviceto identify a set of files on the target device that include the keywordof the search parameter or are the type of file specified by the fileextension in the digital search warrant, wherein when the searchparameter includes a file extension, the searching of the files at thetarget device comprises only searching the files of the type of fileidentified by the file extension without modification of a state of thetarget device; and retrieving, from the target device, the set of filesthat include the search parameter without modifying the state of thetarget device, wherein the retrieving is done by the forensicinvestigation application executing at the mobile device over the datacommunications link between the mobile device and the target device. 25.The method of claim 24, wherein the digital search warrant includes anencryption key to encrypt the set of files that include the searchparameter.
 26. The method of claim 24, wherein the searching of files ofthe target device comprises blocking write commands to the targetdevice.
 27. The method of claim 24, wherein the digital search warrantcomprises a machine-readable segment and a human-readable segment.
 28. Amethod for creating a digital search warrant, comprising: providing aninterface for generating a digital search warrant including a searchparameter for conducting a forensic investigation of a target device,wherein the search parameter of the digital search warrant includes akeyword or a file extension identifying a type of file, and the digitalsearch warrant is provided to a forensic investigation applicationexecuting on a mobile device from the digital search warrant system,wherein the forensic investigation application on the mobile deviceadapted for: booting the target device over a data communication linkbetween the mobile device and the target device using an operatingsystem stored in a memory at the mobile device such that the targetdevice is executing the operating system on the target device from amemory address in the memory of the mobile device over the datacommunication link, and the operating system executing from the memoryaddress of the memory of the mobile device on the target device executesthe forensic investigation application at the mobile device to searchthe target device without user involvement; parsing the digital searchwarrant to identify the search parameter to use on the target device,the search parameter of the digital search warrant including a keywordor a file extension identifying a type of file; searching files at thetarget device over the data communications link between the mobiledevice and the target device to identify a set of files on the targetdevice that include the keyword of the search parameter or are the typeof file specified by the file extension in the digital search warrant,wherein when the search parameter includes a file extension, thesearching of the files at the target device comprises only searching thefiles of the type of file identified by the file extension withoutmodification of a state of the target device; and retrieving the set offiles that include the search parameter without modifying the state ofthe target device, wherein the retrieving is done by the forensicinvestigation application executing at the mobile device over the datacommunications link between the mobile device and the target device. 29.The method of claim 28, wherein the interface is a website.
 30. Themethod of claim 29, wherein the interface allows a user to select thedigital search warrant to be provided to the mobile device.
 31. Asystem, comprising: a processor; and a non-transitory computer readablemedium, comprising instructions for: receiving a digital search warrantat a forensic investigation application executing on a mobile device,the digital search warrant including a search parameter for conducting aforensic investigation of a target device; booting, by the forensicinvestigation application at the mobile device, the target device over adata communication link between the mobile device and the target deviceusing an operating system stored in a memory at the mobile device suchthat the target device is executing the operating system on the targetdevice from a memory address in the memory of the mobile device over thedata communication link, and the operating system executing from thememory address of the memory of the mobile device on the target deviceexecutes the forensic investigation application at the mobile device tosearch the target device without user involvement; parsing, by theforensic investigation application executing at the mobile device, thedigital search warrant to identify the search parameter to use on thetarget device, the search parameter of the digital search warrantincluding a keyword or a file extension identifying a type of file;searching, by the forensic investigation application at the mobiledevice, files at the target device over the data communications linkbetween the mobile device and the target device to identify a set offiles on the target device that include the keyword of the searchparameter or are the type of file specified by the file extension in thedigital search warrant, wherein when the search parameter includes afile extension, the searching of the files at the target devicecomprises only searching the files of the type of file identified by thefile extension without modification of a state of the target device; andretrieving, from the target device, the set of files that include thesearch parameter without modifying the state of the target device,wherein the retrieving is done by the forensic investigation applicationexecuting at the mobile device over the data communications link betweenthe mobile device and the target device.
 32. The system of claim 31,wherein the digital search warrant includes an encryption key to encryptthe set of files that include the search parameter.
 33. The system ofclaim 31, wherein the searching of files of the target device comprisesblocking write commands to the target device.
 34. The system of claim31, wherein the digital search warrant comprises a machine-readablesegment and a human-readable segment.
 35. A system for creating adigital search warrant, comprising: a processor; a non-transitorycomputer readable medium comprising instructions for: providing aninterface for generating a digital search warrant including a searchparameter for conducting a forensic investigation of a target device,wherein the search parameter of the digital search warrant includes akeyword or a file extension identifying a type of file, and the digitalsearch warrant is provided to a forensic investigation applicationexecuting on a mobile device from the digital search warrant system,wherein the forensic investigation application on the mobile deviceadapted for: booting the target device over a data communication linkbetween the mobile device and the target device using an operatingsystem stored in a memory at the mobile device such that the targetdevice is executing the operating system on the target device from amemory address in the memory of the mobile device over the datacommunication link, and the operating system executing from the memoryaddress of the memory of the mobile device on the target device executesthe forensic investigation application at the mobile device to searchthe target device without user involvement; parsing the digital searchwarrant to identify the search parameter to use on the target device,the search parameter of the digital search warrant including a keywordor a file extension identifying a type of file; searching files at thetarget device over the data communications link between the mobiledevice and the target device to identify a set of files on the targetdevice that include the keyword of the search parameter or are the typeof file specified by the file extension in the digital search warrant,wherein when the search parameter includes a file extension, thesearching of the files at the target device comprises only searching thefiles of the type of file identified by the file extension withoutmodification of a state of the target device; and retrieving the set offiles that include the search parameter without modifying the state ofthe target device, wherein the retrieving is done by the forensicinvestigation application executing at the mobile device over the datacommunications link between the mobile device and the target device. 36.The system of claim 35, wherein the interface is a website.
 37. Thesystem of claim 36, wherein the interface allows a user to select thedigital search warrant to be provided to the mobile device.